In recent years, we have witnessed increasing vulnerabilities in UEFI systems. This is alarming because these vulnerabilities have been patched or revoked for a long, making them easy targets for threat actors. The latest development in this trend is the emergence of BlackLotus, the first publicly known UEFI bootkit to bypass the essential platform security feature – UEFI Secure Boot. This means that even fully-updated, Windows 11 systems with UEFI Secure Boot enabled are vulnerable to this threat.
What are UEFI bootkits?
UEFI bootkits are highly potent threats that can fully control the OS boot process. This means they can disable various OS security mechanisms and deploy their kernel-mode or user-mode payloads in early OS startup stages. This allows them to operate stealthily and with high privileges. Though a few UEFI bootkits have been discovered in the wild and publicly described, the emergence of BlackLotus is a game-changer.
BlackLotus is a UEFI bootkit sold on hacking forums since October 2022 for $5,000. It can run on the latest, fully-patched Windows 11 systems with UEFI Secure Boot enabled. This is achieved by exploiting a more than one-year-old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit.
UEFI bootkits: An overlooked vulnerability
This is the first publicly known, in-the-wild abuse of this vulnerability, as reported by Eset. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have not been added to the UEFI revocation list. BlackLotus takes advantage of this by bringing its copies of legitimate but vulnerable binaries to the system to exploit the vulnerability.
Once installed, BlackLotus can disable OS security mechanisms such as BitLocker, HVCI, and Windows Defender. The bootkit’s main goal is to deploy a kernel driver and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads. This makes it a potent tool for any threat actor.
Interestingly, some of the BlackLotus installers do not proceed with the bootkit installation if the compromised host uses one of the following locales: Romanian (Moldova), ro-MD, Russian (Moldova), ru-MD, Russian (Russia), ru-RU, Ukrainian (Ukraine), uk-UA, Belarusian (Belarus), be-BY, Armenian (Armenia), hy-AM, and Kazakh (Kazakhstan), kk-KZ. It is still being determined why these locales are excluded, but it could be due to geopolitical reasons.
UEFI bootkits like BlackLotus are a cause for concern as they can significantly impact system security. They operate stealthily, with high privileges, and can bypass UEFI Secure Boot, making them difficult to detect and remove. It is essential to patch vulnerabilities and revoke vulnerable binaries within a reasonable window to prevent such threats from becoming widespread. Additionally, organizations should ensure robust security measures to prevent such threats from affecting their systems.
The emergence of BlackLotus confirms the myth of the existence of UEFI bootkits. It is a potent tool for any threat actor and can significantly impact system security. It is essential to stay vigilant and proactively protect systems from such threats.